Dave Della Costa wrote:
Hi folks,This isn't strictly a FDS question (I think!) but I'm hoping there are some people on the list who have significant experience and can offer advice.I've gotten FDS set up, I've generated the cert and imported it into my client machine's /etc/openldap/cacerts directory. When I runldapsearch -ZZ..on the client machine it works fine; this wasn't working correctly until I did a few tweaks in my /etc/openldap/ldap.conf directory (specifically, I had an IP address instead of hostname, so I was getting a 'host doesn't match cert' or something like that error).So, it seems like SSL is set up and working fine, BUT, I cannot do sshd authentication via SSL. As soon as I uncomment 'ssl on' I start getting this in my /var/log/messages:Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP serverNov 9 12:46:47 a last message repeated 3 timesNov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP server Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server ldap://x.x.com: Can't contact LDAP server Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...When I turn it back off, it binds to the regular (non-SSL) LDAP port on the FDS server and authentication happens just fine.Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server ldap://x.x.com after 1 attempt Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for blap from x.x.x.x port 48049 ssh2 Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap by (uid=0) Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server ldap://x.x.com after 1 attempt(if you hadn't noticed, I changed all the IPs and hostnames in the above log examples...).What the heck could this be? I'm not sure what the proper options in the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but so far I've tried (in addition to 'ssl on') setting sslpath, "ssl start_tls," tls_cacertfile, and tls_cacertdir. Or is this something screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: http://directory.fedora.redhat.com/wiki/Howto:SSL
Did you edit /etc/ssh/sshd_config and set UsePAM yes ?
Any help would be greatly appreciated. Thanks! Dave D. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
